1. Field of the Invention
The present invention relates to a method for authenticating a client to a plurality of servers by delegation using a challenge/response protocol.
2. Description of the Related Art
Authentication is a method that allows a web browser, or other client application, to provide credentials to a server application. The credentials may be in the form of a user name and password when making a request. If the correct credentials are provided to the server application, access to the server application is permitted. The client application may seek access to the server application for a particular service or product. Such authentication is common in the context of an HTTP transaction.
Although the implementation of an authentication scheme between the client application and the server application seems relatively simple, there are scenarios where authentication between the client application and the server application is not sufficient for particular types of services. For example, after the client application is authenticated to the server application, it maybe necessary to authenticate the client application to a second server application. One solution is to require the client application to contact the second server application and directly authenticate itself to the second server application. However, this assumes that the client application is aware of the second server application and is familiar with the location of the second server application. However, it is common for the client application to be unaware of the second server application after authenticating to the server application. This presents an issue with respect to authenticating the client application to the second server application subsequent to the authentication of the client application to the server application.
Another solution may include the server application authenticating itself to the second server application using the credentials associated with the server application rather than credentials associated with the client application. However, this method may present a few issues with respect to redundancy and the difficulty in enforcing such a method.
Referring to FIG. 4 a challenge/response sequence is shown according to the prior art. The challenge/response protocol is used to authenticate the client application in various systems. For example, NTLM is a Microsoft authentication protocol used with the SMB protocol. The protocol uses a challenge/response sequence requiring the transmission of three messages between the client application and the server application. The client application first sends a challenge/response request as provided in step S100. The challenge/response request may contain a set of flags of features supported or requested to the server application. The features may include encryption key sizes, request for mutual authentication, etc. The server application then responds with a challenge as noted in step S102. The challenge contains a similar set of flags supported or required by the server application enabling an agreement on the authentication parameters between the server application and the client application. The client application uses the challenge obtained in step S102 and a user's credentials associated with the client application to calculate a response.
By way of example, one method that may be used to calculate the response includes MD4/ MD5 hashing algorithms and DES encryption. However, other methods are contemplated. The client application then transmits the response as shown instep S104. The above three steps constitute the challenge/response sequence. Additionally, the server application may validate the response and return the result to the client application as shown in step S106.
The client application may be a personal computer, handheld device, or any other similar device that may be associated with a user or the user's credentials. The client application may also include a browser used to communicate with the server application via the Internet or a network. The client application seeks access to the server application. The server application on the other hand, will request authentication so that the client application may properly gain access to the server application. The server application may be a server computer, a personal computer, or similar device.
Referring now to FIG. 5, the challenge/response sequence includes an authentication server. The authentication server is a server that provides authentication services to users or other systems via networking. Remotely placed client applications and other server applications authenticate to the authentication server. Some authentication algorithms that may be used with authentication servers are passwords, Kerberos, and public key encryption by way of example and not of limitation.
Similar to the challenge/response sequence provided in FIG. 4, the client application transmits a challenge/response request to the server application in step S100. However, the server application forwards the challenge/response request to the authentication server in step S101. This step may be necessary where the server application does not include or store credentials used for authenticating the client application. The authentication server generates the challenge and transmits the challenge to the server application in step S103, then the server application forwards the challenge to the client application according to step S102. The client application generates and transmits a response to the server application in step S104. The server application forwards the response to the authentication server for validation in step S105. The validation result is transmitted to the server application in step S107 and forwarded from the server application to the client application instep S106. Now the client application may access the server application.
While the above method may be useful for authentication between the client application and the server application, there are some disadvantages. If the server application needs to contact a second server application, it may not be able to do so if the second server application requires authentication. The first server application may not be able to authenticate to the second server application because it lacks the credentials associated with the client application. Thus, authentication by the first server application to the second server application may not be possible using the same protocol. Instead, the first server application must use a different protocol. Alternatively, the first server application may use fixed credentials such as a username and password and always use those credentials to authenticate to the second server application, without having to use the credentials of the client application. However, this may be cumbersome, as the first server application will be functioning under the client application while the second server application will be functioning under the first server application or a different user.
A method for authenticating a client application to a server application and a second server application may be accomplished by delegation. Delegating authentication allows the server application to act as a conduit between the client application and the second server application. Alternatively, the server application may act as a conduit between the client application and a plurality of server applications. After the client application authenticates itself directly to the server application, the server application may authenticate itself to the second server application on behalf of the client application. This is accomplished using the credentials associated with the client application.
However, delegating the authentication between the client application and the second server application requires a trusted third party. A trusted third party is an entity that facilitates interactions between two parties who both trust the third party. The third party reviews all critical transaction communications between parties. A trusted third party is common in commercial transactions and in cryptographic digital transactions. Transactions that require a trusted third party may also require a third party repository service adding to the complexity of the delegation process.
Authenticating a client application to a server application using a challenge/response protocol does not require a trusted third party. In computer security, challenge/response authentication is a protocol in which one party presents a question (“challenge”) and another party must provide a valid answer (“response”) for authentication. One example of a challenge/response protocol is password authentication, where the challenge is asking for the password and the valid response uses the correct password to calculate the appropriate response. However, the challenge/response protocol is used for single level authentication between a client application and a server application. In the case where the client application needs to be authenticated to a server application and a second server application, challenge/response protocol has not been utilized.
Accordingly, a method for delegating authentication of a client application to multiple server applications using a challenge/response protocol that does not require a trusted third party is advantageous.